"Majority of GAO's Cybersecurity Recommendations Not Implemented by Federal Agencies"
A new report by the US Government Accountability Office (GAO) revealed that out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December 2022. The GAO stated that until all of the recommendations are fully implemented, federal agencies will be more limited in their ability to protect private and sensitive data entrusted to them. The GAO has recently published the first in a series of four reports that bring into focus cybersecurity areas that need to be urgently addressed, starting with the need for a comprehensive cybersecurity strategy. The White House and the National Security Council (NSC) issued a National Cyber Strategy and an Implementation Plan in 2018 and 2019, respectively, but the GAO reported in 2020 that these do not address all desirable characteristics of national strategies (only three out of six characteristics were included). The GAO noted that while an Office of the National Cyber Director position was established and filled in 2021, a comprehensive national strategy has yet to be fully developed and implemented. The GAO recommended that the National Security Council work with relevant federal entities to update cybersecurity strategy documents to include goals, performance measures, and resource information, among other things. Another area that the GAO has been looking into is federal agencies’ supply chain risk management practices. In 2020, out of 23 agencies reviewed, none had fully implemented all the seven foundational practices in the area, and 14 had implemented none of these practices. The GAO’s new report also underlines the need for the Office of the National Cyber Director to address continuing cybersecurity workforce challenges for federal agencies to improve the security of internet-connected devices, including Internet of Things (IoT) and operational technology (OT) devices, and for the federal government to address the risks associated with quantum computing and artificial intelligence (AI) technologies.